From 647352340c20c25b22f604976f9c480dba1c2e23 Mon Sep 17 00:00:00 2001
From: Ee Durbin <ewdurbin@gmail.com>
Date: Wed, 18 Dec 2024 15:29:24 -0500
Subject: [PATCH] always set x-client-ip from frontend

This condition was in place to support the proxy nonsense we had going that was removed in https://github.com/python/psf-salt/pull/543, we can go ahead and always set this now that our frontend is handling tls
---
 salt/haproxy/config/haproxy.cfg.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja
index c42c9752..c6d1e28f 100644
--- a/salt/haproxy/config/haproxy.cfg.jinja
+++ b/salt/haproxy/config/haproxy.cfg.jinja
@@ -140,10 +140,10 @@ frontend main
     # Deny requests that are not served from this host
     http-request deny if !our_domains !letsencrypt-well-known-acl
 
+    http-request set-header X-Client-IP %[src]
     # Tell the backend servers whether this request is being served via TLS or
     # not. This should pretty much *always* be yes since we unconditionally
     # redirect to HTTPS in HAProxy.
-    http-request set-header X-Client-IP %[src] if !is_tls
     http-request set-header X-Forwarded-Proto https if is_tls
     http-request set-header X-Forwarded-Proto http  if !is_tls